Episode Transcript:
John:
Hi PANCasters and welcome back.
Today we have Amit and Nripendra back to discuss some updates in Prisma Access and specifically how it is designed as a modular service. Welcome back Amit and Nripendra.
So how does Prisma Access deliver a modular service?
Amit:
Hello. Thanks for having us back.
Prisma Access helps deliver consistent security to remote networks and mobile users. Irrespective of where you are, Prisma Access will allow customers to safely access the internet, SaaS applications, and data center resources. This service is built to be scalable and modular. The Lego blocks that build these services are Prisma Access infrastructure elements like RN (remote networks), MU (mobile users), and SC (service connections), all of which are virtual. We also have an explicit proxy deployment, with a node type called SWG (secure web gateway). These virtual instances other than SCs are security processing nodes (SPN). These modular entities help customers build their infrastructure and make Prisma Access a highly modular service. It is also important to note that all SPNs need an egress public IP to access the internet.
John:
Why did you come up with the new type of architecture?
What were the main concerns from the existing Prisma Access deployments that led to the new solution?
Nripendra:
In our existing Prisma Access deployment, by default, we assign a pool of public IP addresses for the customer deployment. These IPs are owned by Palo Alto Networks. However, as we autoscale out and in, more security processing nodes come up/go down and more public IP addresses will be allocated or unallocated automatically.
These IP addresses need to be allowlisted or removed from customers’ SaaS and private applications on the spot for seamless access. We do provide API and webhooks to obtain these IP addresses, but this may be not sufficient for smooth network operations.
This is - one of the main reasons that - we have come up with IP-Optimization.
John:
I see, and why is this so important?
Nripendra:
Any new allocation, un-allocation or reallocation may result in operational overhead such as re-configuring the allowlist in customers’ and their stakeholders systems. Such situations have resulted in compliance risks, heavy communication, as well as, unwanted costs. Some of our customers have to execute a project just for allowlisting IPs.
John:
So how does the NGPA approach help? Can you give a scenario that it applies to and what does it entail?
Amit:
Next Generation Prisma Access (NGPA) or IP optimized Prisma Access (and we're going to use these terms interchangeably through this podcast) is a feature that can be used by a Prisma Access customer by checking the IP optimization check box on their Panorama or SCM managed Prisma Access tenant. More than one mobile user gateway in a region, triggers a pair of NAT gateways to be deployed that will egress traffic in that region. All scheduled or auto-scaled gateways in the region will now use this NAT GW to egress traffic to the internet.
At the same time, this spins up a load balancer that will load balance traffic from the user to the Mobile Users gateways in the region.
So in essence the Mobile User gateways in a region will see load balanced traffic from end users. This traffic will be processed by the mobile user gateways and sent to the NAT device when it egresses to the internet. This is where the traffic gets NATed to the egress IP on the NAT device. What this means is that customer will need to whitelist just this NAT GW egress IP with their providers
However, for deployments that have only one mobile user gateway, the load balancer and egress NAT device are completely irrelevant, this feature will kick in only when you have more than 1 MU gateway. With just one MU gateway, you don't really need a NAT device or a load balancer
John:
Now that we know how this is implemented, what benefits does a user see after deploying Prisma Access in the NGPA Architecture?
Nripendra:
Beside addressing all the concerns customers have on compliance, communication and change management, such as IP address allowlisting, one of the most important benefits that NGPA provides is that, it improves resilience.
What that means is, if the customer traffic gets disrupted, for example, due unexpected failure of a Prisma Access security processing node, the customer connection is seamlessly recovered and the end customer will not see any service disruptions. We have also built cross-region resilience, which comes out of the box. So even in an extremely rare case, where a whole Prisma Access region may have an outage, the customer experience will not get impacted.
And now because of NGPA, we have a capability to achieve a seamless product upgrade.
John:
For a customer to adopt these services, what are the challenges to be aware of? What would be the path for existing Prisma Access customers?
Amit:
NGPA is still very new even though we have successfully deployed this architecture for several large customers already.
I would say there are two types of challenges here for our brownfield customers running classic Prisma Access:
- This requires a migration operational downtime window, which may be difficult for customers to get: given the fact that Prisma Access is already a mission critical service for most of our customers.
- Because our customers most probably have IP allowlisted IP addresses across multiple SaaS products, they will need to coordinate with their SaaS providers to update the IP allowlist.
Given these challenges are present, we recommend customers to test this feature in their staging environments and plan adequately before deploying NGPA in their production environments.
John:
Great, so anything else coming up with Prisma Access? Any more new capabilities that customers can take advantage of.
Nripendra:
Few points I would like to highlight.
First, we have recently made NGPA as the default architecture for our greenfield customers. Our partners and customers need to be aware about this during onboarding.
Then, given that IPv4 supply is really low, we are working on end-to-end support of IPv6 in NGPA which some of our major customers and Service Providers have requested.
Finally, as an extension of NGPA, we are working on High Performance Remote Networks access or RN-HP. This RN-HP provides 2 Giga-bps bandwidth for a single site security processing. We plan to provide up-to 5Giga-bps bandwidth with a single remote network service IP address.
So this also helps in IP addresses optimization.
John:
Thanks again Amit and Nripendra. What would be the key takeaways for today's episode?
Amit:
IP optimization is the next generation of the Prisma Access solution and will optimize public IPv4 address usage for customers.
Nripendra:
We have already rolled out NGPA and we are running it for large scale customers.
We would like to tell all our customers to take advantage of this feature and make their network security operations simpler, efficient and more effective.
There are no licensing fees to take advantage of NGPA as well as High Performance Remote Networks access.
We hope these are instantly useful for our customers.
John:
PANCasters as always you can find the transcript and additional info at live.paloaltonetworks.com.
Related Content:
Prisma Access
